Bitrefill cyberattack linked to suspected North Korean hackers exposes limited customer data

Bitrefill, a cryptocurrency-based e-commerce and gift card service provider, disclosed that it suffered a cyberattack beginning March 1, 2026, in which attackers accessed parts of its internal systems, drained funds from hot wallets, and exposed limited customer data. The company identified strong indicators linking the intrusion to the North Korean state-backed Lazarus Group, including its Bluenoroff subgroup known for targeting crypto platforms.

The breach originated from a compromised employee laptop, which allowed attackers to infiltrate Bitrefill’s broader infrastructure, including segments of its database and certain cryptocurrency wallets. During the intrusion, threat actors executed unauthorized transactions and placed suspicious purchases through vendor channels.

The incident exposed approximately 18,500 purchase records containing limited customer information, including email addresses, cryptocurrency payment addresses, and associated metadata such as IP addresses. Among these, around 1,000 records carried a higher risk of exposure involving encrypted customer names. Affected individuals in this subset have been notified.

Bitrefill stated that its investigation found no evidence of a full database exfiltration. Activity observed during the breach indicated targeted queries consistent with reconnaissance and attempts to identify accessible assets, including cryptocurrency holdings and gift card inventory, rather than a broad extraction of user data.

The company emphasized that it does not require mandatory Know Your Customer verification for most transactions. In cases where identity verification is necessary, customer data is handled exclusively by an external provider and is not stored within Bitrefill’s internal systems.

The attack bears hallmarks consistent with previous operations attributed to the Lazarus Group, including the use of specific malware, infrastructure patterns, and operational techniques. The group has been widely associated with large-scale cryptocurrency thefts, including record-setting exploits targeting major exchanges.

The broader threat landscape has seen a significant escalation in activity linked to North Korean actors. In 2025, entities associated with the Democratic People’s Republic of Korea were responsible for cryptocurrency thefts totaling $2.02 billion, representing a substantial portion of the $3.4 billion stolen across the sector.

Bitrefill reported that it has contained the incident, temporarily taking systems offline as part of its response. Core services, including payments, account access, and inventory, have since been restored, with transaction volumes returning to normal levels.

The company confirmed it will absorb any financial losses resulting from the breach using its operational capital. It engaged multiple cybersecurity and incident response firms, including zeroShadow, SEAL911, and RecoverisTeam, to support containment, investigation, and recovery efforts.